Overview of Botnet Prevention and Detection Techniques
What is Botnet?
A botnet is a chain of connected computers coordinated together to perform a task. Botnets used for both bad and good things. It is not just created to infect a single computer, but designed to infect thousands of devices. IRC bots were the first directly build botnets. They are accountable for many of the Cyber Attacks like DDoS(Distributed Denial of Service) and spam attacks to click Fraud, and Keylogging. Botnet gains a foothold into each botnet slave, each slave make communicates with the C&C servers, and the entire botnet carries out various attacks.
Bot herders (the one who perpetrate botnets as they control the hosts compromised from the remote location) often deploy botnets through a virus. Once the computers are infected, botnets communicate over the Internet, and then botnets have free access to modify personal information, attack other computers, and commit other crimes.
Benefits of Bots
Bots are useful in online businesses, help in creating the required visibility of their websites over the internet.
Whenever someone searches regarding any products or services, relevant results reflected. How is it possible? The bots are behind this.
It also helps in improving the website's SEO actually, crawler bots visit the pages and index them in the robots.txt file of websites.
Demerits of Bots
Bots can do lots of malicious activities like -
- Stealing contents like a password.
- Damage to the host machine.
- Scrape the content, and publish elsewhere.
- DDoS attack.
- Send spam or viruses to others.
- Bitcoin Mining.
How to Adopt Botnets?
Botnets are good and bad, positive adoption helps online business through creating a robots.txt file and let the bot work behind, improves SEO and used for security checks.
For the destructive purpose, they can be used for DDoS attack, or spreading viruses, or earning money through illegal botnets' work.
Integral Parts of Botnets Include -
- Command and Control server(C&C)
- Botmasters / Herders
- Sniffing and scanning module
- Update module
- Peer list
- Distribution module
Types of Botnets
Botnets categorized into four group -
- HTTP botnet
- P2P botnet
- IRC (Internet Relay Chat) botnet
- Hybrid botnet (the result of all types of Botnet Structures)
How Botnets Communicates/Works?
The fundamental characteristic of a Botnet is the ability to receive updated instructions(commands) from the bot herder. The capability to communicate with each bot in the network enables the attacker to change the attack vectors, change the targeted IP, terminate an attack, and other customized actions. Botnet designs vary, but the control structures can be broken down into two general categories - client/server botnet model and peer-to-peer botnet model.
Botnets use different protocols for communication, but most of them establish communication with their C&Cs( Command and Control Server) using either - IRC (Internet Relay Chat) or HTTP( Hypertext Transfer) protocols.
Benefits of using IRC communication is easy automation using scripts, and IRC servers readily available, that's why this protocol is best for botnet creation and deployment. An IRC client is installed to the compromised computer during infection by the botnet malware, which in turn help in establishing the communication between the IRC server on the C&C. But now it's not the best way to communicate, as IRC packets have often raised red flags and even lots of admin block IRC packets in their firewalls.
HTTP is the firewall-friendly option used in botnet communication. It is another communication protocol for botnets. Zeus is the most dangerous botnets communicated via HTTP.
How to Detect Botnets?
Botnets are challenging to detect, as they use only small amounts of computing resources, that prevent it from detection. More complicated botnets designed in such a way that they update their behavior to thwart detection by Cybersecurity software. But still, there is some sign which helps in detecting botnets -
- When a computer starts acting strangely and runs slow as compared to before.
- Gives error messages.
- The fan suddenly starting up when the system is idle.
- If the virus scanner sounds the alarm.
- Check for Task Manager as it may offer some clues.
- Unexpected pop-ups (as a result of click fraud activity).
- Suddenly increased traffic, particularly for Port 6667 (used for IRC), Port 25, and Port 1080 (used by proxy servers).
- Problems with Internet access.
Botnet Prevention Techniques
Computer infected by botnets either by worm or virus that installs the bot, or when someones visit a malicious or non-trusted website that exploits a vulnerability in the browser and install it.
- Update operating system.
- Avoid email attachments from suspicious or unknown sources.
- Avoid downloads from P2P and file-sharing networks.
- Don’t click on suspicious links.
- Get Antivirus Software.
- Disable unused ports.
- Create secure passwords.
- Periodic system wipe/restores.
- Implement good ingress and egress filtering practices.
- Take care of third-party application and access request.
- Network Intrusion Detection Systems (NIDS).
- Rootkit detection packages.
- Network sniffers for detection/prevention.
A botnet is a collection or chain of computers compromised by malware and come under the control of a malicious actor, the controller also known as botmaster or herders. It severely affects someone's business and does lots of malicious activities, without even detecting.